Embed Amazon Quick Suite chat agents in enterprise applications

Organizations may face two significant challenges with conversational AI. First, users want answers where they work – in their CRM, support console, or analytics portal – not in separate tools. Second, implementing a secure embedded chat in their applications may require several weeks of development to build authentication, token verification, domain security, and global delivery infrastructure.

Amazon QuickBooks Embedded Chat helps solve the first challenge by bringing conversational AI directly into your application, so users can query structured data, search documents, and trigger actions without switching tools.

In this post, we show you how to solve the second challenge with a one-click deployment solution for embedding chat agents using QuickTime Suite. Embedding SDK In the enterprise portal.

solution overview

The solution deploys a secure web portal for embedded chat using Amazon CloudFront, Amazon Cognito for global content delivery OAuth 2.0 Authentication, Amazon API Gateway for REST API endpoints, AWS Lambda for serverless API processing, and OpenID Connect (OIDC) Federation for identity integration with Quicken Suite.

The solution implements defense-in-depth security with multiple layers of security: DDoS protection on CloudFront, a private Amazon Simple Storage Service (Amazon S3) bucket with native access controls to help prevent direct access to frontend assets, AWS WAF rate limiting protection on the API Gateway, and Amazon Cognito before generating time-limited user-specific embed URLs with low-privileged AWS identities and access. JSON Web Token (JWT) signature verification using public keys. Management (IAM) permissions.

The following diagram shows the solution architecture.

The workflow includes the following steps:

1. Users access a web portal URL, which points to CloudFront.
2. CloudFront uses basic access controls to fetch HTML, CSS, and JavaScript files from a private S3 bucket.
3. The web application checks for a valid authentication token and redirects unauthenticated users to a UI hosted by Amazon Cognito for OAuth 2.0 login.
4. Users enter credentials on the Amazon Cognito login page, which validates them and redirects back to the CloudFront URL with a single-use authorization code.
5. The application extracts the authorization code and makes an HTTPS API call to the API Gateway, which passes through AWS WAF rate limiting.
6. The API gateway invokes the Lambda function with the authorization code.
7. The Lambda function makes a server-to-server HTTPS call to the Amazon Cognito OAuth token endpoint, exchanging the authorization code for the JWT token (ID token, access token, refresh token).
8. The function validates the cryptographic signature of the ID token using an Amazon Cognito public key JSON Web Key Set (JWKS) with thread-safe caching.

The following is a decoded JWT example:

{"at_hash": "abcdefifB5vH2D0HEvLghi", "sub": "12345678-abcd-1234-efgh-123456789012", "email_verified": true, "iss": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_EXAMPLE123", "cognito:username": "12345678-abcd-1234-efgh-123456789012", "origin_jti": "abcd1234-5678-90ef-ghij-klmnopqrstuv", "aud": "1a2b3c4d5e6f7g8h9i0j1k2l3m", "event_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "token_use": "id", "auth_time": 1704063600, "exp": 1704067200, "iat": 1704063600, "jti": "abcdef12-3456-7890-abcd-ef1234567890", "email": "user123@example.com"}

9. The Lambda function calls the AWS Security Token Service (AWS STS) AssumeRoleWithWebIdentity API with the verified ID token to assume the IAM web identity role and obtain the temporary AWS credential.
10. The function uses temporary credentials to call the Quick Suite ListUsers API to verify the user’s existence, then calls the GenerateEmbedUrlForRegisteredUser API to help generate a secure embedded URL with domain restrictions.
11. The function returns the embed URL in a JSON response with Cross-Origin Resource Sharing (CORS) headers from the API Gateway via CloudFront. The following is an embed URL example:

    {"ChatEmbedUrl": "https://us-east-1.quicksight.aws.amazon.com/embedding/abcdefe827dd4ef8b4e1fb921db046c4/quick/chat?code=Abcdef....&identityprovider=quicksight&isauthcode=true", "user": "user123@example.com"}

12. CloudFront uses the Quick Suite Embedding SDK to create an application embedding context and render the chat interface in an HTML iframe with secure cross-origin communication.

You can deploy the solution with the following high-level steps:

1. Deploy serverless infrastructure using the AWS Cloud Development Kit (AWS CDK).
2. Provision users in Amazon Cognito and Quick Suite.
3. Share Quick Suite assets (chat agents and related connections, knowledge base).
4. Access the web portal to use Quick Suite chat agents.

Prerequisites

The following prerequisites are required to deploy the solution demonstrated in this post:

Deploy serverless infrastructure using AWS CDK

Complete the following steps to deploy serverless infrastructure using AWS CDK:

1. clone GitHub repository: :

git clone git@github.com:aws-samples/sample-quicksuite-chat-embedding.git 
cd sample-quicksuite-chat-embedding

2. Deploy infrastructure:

You will be asked to enter your AWS region code, AWS CloudFormation stack ID and portal title, and your AWS CLI profile.

Provision users in Amazon Cognito and Quick Suite

Complete the following steps to provision users in Amazon Cognito and Quick Suite:

1. Create an Amazon Cognito user in an Amazon Cognito user pool:

python scripts/create_cognito_user.py --profile  

2. Create a federated user in QuickTime Suite:

python scripts/create_quicksuite_user.py --profile  

Share Instant Suite Chat Agent

Complete the following steps to share your Instant Suite chat agent:

1. Sign in to the Quick Suite console using credentials with the Quick Suite Author Pro role.
2. choose chat agent In the navigation pane.
3. Select the agents you want to share (for example, AnyCompany Ecom Order Assistant) and select share.

4. Find the username you created earlier (for example, user123@example.com).
5. choose share.

After sharing this agent, you must share each linked resource of the agent separately to verify full functionality.

Access the web portal to use Quick Suite chat agents

Complete the following steps to access the web portal and start using chat agents:

1. View the temporary password in the Amazon Cognito verification email.
2. Access the CloudFront URL from your web browser with the user ID and temporary password.
3. When you login for the first time you will be asked to change your password.

After successful login you can see my colleague In the chat interface.

4. Select a region to connect with custom Quick Suite chat agents.

5. To see chat agents shared with you, select shared with me under filter.

6. Choose the agent you want and start chatting.

The following screenshots show the chat interaction of a customer service representative tracking an example online order and processing its return as requested by a verified customer over the phone.

cleanliness

To clear your resources, delete the deployed AWS resources:

conclusion

The solution addresses the core challenges of embedding conversational AI at scale: securing authentication for thousands of concurrent users across global locations, maintaining enterprise-grade security with comprehensive audit trails, and simplifying deployment with automated infrastructure provisioning. You can customize portal branding, adjust security policies, and integrate with existing identity providers. You can automatically scale to thousands of concurrent users while maintaining pricing.

To try this solution, clone GitHub repository And deploy the entire infrastructure with a single click to embed Quick Suite chat agents.

About the authors

Satyanarayan Adimula Is a Senior Builder in AWS Generative AI Innovation and Delivery. Leveraging over 20 years of data and analytics expertise, he specializes in building agentic AI systems that enable large enterprises to automate complex workflows, accelerate decision making, and drive measurable business results.